The OWASP Foundation
http://www.owasp.org
OWASP EU Tour
Bucharest 2013
Penetration Testing
- a way for improving our cyber security
Adrian Furtunǎ
, PhD, OSCP, CEH
2
Agenda
Who am I
Why this topic
Case study 1
Case study 2
Lessons learned
Conclusions
Who am I
Member of the Pentest Team at KPMG Romania
Doing pentests against various applications and systems:
Internal networks, public networks
Web applications
Mobile applications
Wireless networks
Social engineering, etc
Speaker at Hacktivity, DefCamp, Hacknet and other local security
confs
Teaching assistant at Information Security Master programs (UPB,
MTA and ASE)
Why this topic?
The need for more efficient cyber
security
Penetration testing is part of the
defense-in-depth approach
Verify the effectiveness of defense mechanisms and people
Find weak spots in defense layers
Show the real risk of a vulnerability
Suggest corrective measures
Re-verify4
Is my data safe?
To better clarify terms…
Penetration Testing a.k.a. Pentesting, Ethical Hacking, Red Teaming
Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders
Exploit vulnerabilities and dig much deeper
Penetration Testing is:
Authorized
Adversary based
Ethical (for defensive purposes)
Penetration Testing
is not
Vulnerability Assessment / Scanning
Manual tests find this
Case Study 1
Pentesting the internal network (2011)
Objective:
See what an internal malicious user could do, given simple network
physical access.
Malicious user:
visitor, contractor, malicious employee
Targets:
confidential data, client information,
strategic business plans, etc
Pentesting the internal network (2011) – cont.
Pentesting the internal network (2011) – cont.
1.
Network mapping
IP rangesPentesting the internal network (2011) – cont.
1.
Network mapping
IP ranges
Host names2.
Service and OS discovery
Windows 7
Windows 2008 Server R2
Common client ports open
IIS, MsSQL, Exchange, etcPentesting the internal network (2011) – cont.
1.
Network mapping
IP ranges
Host names2.
Service and OS discovery
Windows 7
Windows 2008 Server R2
Common client ports open
IIS, MsSQL, Exchange, etc3.
Vulnerability scanning
Nessus: 1 high, 30 medium, 39 lowPentesting the internal network (2011) – cont.
4.
Exploitation
Pentesting the internal network (2011) – cont.
4.
Exploitation
Pentesting the internal network (2011) – cont.
4.
Exploitation
Add local admin5.
Post-exploitation
Info gathering
Credentials to other systemsPentesting the internal network (2011) – cont.
4.
Exploitation
Add local admin5.
Post-exploitation
Info gathering
Credentials to other systems6.
Pivoting
Connect to 2nd db serverPentesting the internal network (2011) – cont.
4.
Exploitation
Add local admin5.
Post-exploitation
Info gathering
Credentials to other systems6.
Pivoting
Connect to 2nd db server
Upload Meterpreter7.
Post-exploitation
List tokens
Impersonate Domain Admin token
Create Domain Admin user16
Pentesting the internal network (2011) – cont.
Game Over
Case Study 2
Pentesting the (same) internal network (2012)
Objective:
See what an internal malicious user could do, given simple network
access.
Test the findings from previous year
Malicious user:
visitor, contractor, malicious employee
Targets:
confidential data, client information,
strategic business plans, etc
Initial access:
network port in users subnet
Pentesting the (same) internal network (2012) – cont.
1.
Network mapping
~ the same as last year2.
Service and OS discovery
~ the same as last yearPentesting the (same) internal network (2012) – cont.
1.
Network mapping
~ the same as last year2.
Service and OS discovery
~ the same as last year3.
Vulnerability scanning
Nessus: 0 high, 21 medium, 20 lowPentesting the (same) internal network (2012) – cont.
1.
Network mapping
~ the same as last year2.
Service and OS discovery
~ the same as last year3.
Vulnerability scanning
Nessus: 0 high, 21 medium, 20 low Now what?
No default/weak passwords
No missing patches
No exploitable config problems
No sql injection…Pentesting the (same) internal network (2012) – cont.
Pentesting the (same) internal network (2012) – cont.
4.
Attack the clients – method 1
Setup a fake local NetBIOS server
Respond to every request with my IP address
Setup multiple local services (HTTP, SMB)
Request Windows authentication on connection => capture password hashesPentesting the (same) internal network (2012) – cont.
4.
Attack the clients – method 1 – cont.
Captured around NTLM 50 hashes
Cracked about 25% using dictionary attack with mangling rules in a few hours
Gained network access as domain user (low privileges)
Could access some shared files on file serverPentesting the (same) internal network (2012) – cont.
4.
Attack the clients – method 2
Man in the middle attack between victim and proxy server
Setup a fake local proxy server
Request Basic authentication
Receive user’s credentials in clear text (base64 encoded)Pentesting the (same) internal network (2012) – cont.
4.
Attack the clients – method 2 – cont
The victim sees this:Pentesting the (same) internal network (2012) – cont.
5.
Exploitation
Got local admin password (global) from a special user
Could connect as admin on any workstationPentesting the (same) internal network (2012) – cont.
5.
Exploitation
Got local admin password (global) from a special user
Could connect as admin on any workstation6.
Pivoting
Search the machines from IT subnet for interesting credentials / tokens
Found a process running as a domain admin userPentesting the (same) internal network (2012) – cont.
5.
Exploitation
Got local admin password (global) from a special user
Could connect as admin on any workstation6.
Pivoting
Search the machines from IT subnet for interesting credentials / tokens
Found a process running as a domain admin user7.
Exploitation
Impersonate domain admin
Add user to domain admin group30
Pentest comparison
32
2011 2012
Low hanging fruits removed no yes IT personnel vigilance low high Network prepared for pentest no yes
Existing vulnerabilities yes yes (lower nr) Overall exploitation difficulty medium high
Consultant’s advice
Make yourself periodic vulnerability assessments (e.g. Nessus scans)
Prepare your network before a pentest (you should always be
prepared, btw)
An homogeneous network is easier to defend then an
heterogeneous one
Do not allow local admin rights for regular users
Patch, patch, patch
Conclusions
Penetration testing can be used for improving our cyber security
Do it periodically with specialized people
Mandatory for new applications / systems before putting in production
Vulnerability assessment is not penetration testing
Thank You!
Adrian Furtunǎ, PhD, OSCP, CEH
adif2k8@gmail.com